CVE-2025-14874 — Improper Check or Handling of Exceptional Conditions in Nodemailer

CWE-703 — Improper Check or Handling of Exceptional Conditions9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 75.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodemailer Redhat Advanced Cluster Management FOR Kubernetes Redhat Ceph Storage

Timeline

PublishedDec 18

Description

A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5nodemailer/nodemailer< 7.0.11

▶NVDnodemailer/nodemailer< 7.0.11

▶npmnodemailer/nodemailer< 7.0.11

▶NVDredhat/ceph_storage8.0

▶NVDredhat/advanced_cluster_management2.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion↗2025-12-18

▶

CVEList

Nodemailer: nodemailer: denial of service via crafted email address header↗2025-12-18

▶

OSV

CVE-2025-14874: A flaw was found in Nodemailer↗2025-12-18

▶

OSV

Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls↗2025-12-01

▶

GHSA

Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls↗2025-12-01

▶

📋Vendor Advisories

Red Hat

nodemailer: Nodemailer: Denial of service via crafted email address header↗2025-12-01

▶

Debian

CVE-2025-14874: node-nodemailer - A flaw was found in Nodemailer. This vulnerability allows a denial of service (D...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14874 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶